Key findings:
- The MidgeDropper malware variant is a new and sophisticated threat that targets Windows users.
- The malware is delivered via phishing emails that contain an RAR archive with two files: a PDF and an executable file.
- The PDF file contains an error message that is designed to trick users into opening the executable file.
- The executable file drops several other files, including a renamed version of a Microsoft application and a malicious DLL file.
- The malware uses sideloading to execute the malicious code in the DLL file.
- Fortinet customers are protected from the MidgeDropper malware variant.
- Researchers urge users to take precautions against phishing attacks, such as training end users on internet threats and using the best AV tools to detect threats timely.
FortiGuard Labs’ James Slaughter and Shunichi Imano have written a detailed blog post explaining the mechanisms of a newly discovered medium-severity MidgeDropper malware variant specifically targeting Windows-based systems.
In their report published on 12 Sep 2023, Slaughter and Imano noted that this is a previously unseen dropper variant with a rather complex infection chain featuring a range of capabilities such as sideloading and code obfuscation, making it a novel malware.
Researchers claimed that the malware’s initial infection vector is yet unknown to them, but they suspect it to be a phishing email as they gained access to a RAR archive (!PENTING_LIST OF OFFICERS.rar). This seems like an attachment included in the email. In this archive, there are two files titled:
- “Notice to Work-From-Home groups.pdf”
- “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe”
The PDF file contains an error message image indicating that this document has failed to load. This is a decoy to diver the recipient’s attention to clicking on and executing the second file, which is fairly large (6.7MB). Given that Windows hides file extensions, the recipient won’t notice that it is an executable file and will click on it, considering it another PDF. This file serves as the dropper for different infection stages and drops the following files:
- “IC.exe”
- “power.exe”
- “power.xml”
- “Microsoft Office.doc”
By accessing this address “hXXp://1852256837/jay/nl/seAgnt.exe”, the dropper file also fetches “seAgnt.exe.” IC.exe obtains the infection’s next stage and also downloads another file, “VCRUNTIME140_1.dll,” from this URL “1852256837.” Moreover, power.exe and power.xml are dropped together by the executable where power.exe decodes and processes power.xml. The most crucial task of these files is launching “seAgnt.exe.”
It is a renamed version of “GameBarFTServer.exe,”, a Microsoft application, and is a background process for the Xbox Game Bar that runs on Windows devices. SeAgnt.exe seems benign, but it depends upon VCRUNTIME140_1.dll (a legit DLL file) for executing the malicious code inside the DLL. The file VCRUNTIME140_1.dll is designed with the malicious version of the Microsoft Visual C++ runtime package.
This is where the malware designers have used the sideloading technique. Since DLL files don’t exist as an independent executable, another application is used to load the code into the memory for execution and seAgnt.exe serves as that application. Researchers couldn’t investigate the final payload because the infection chain links were taken down just when they started analyzing.
In its report, FortiGuard states that Fortinet customers are protected from this malware. Nevertheless, researchers suggest employing all necessary preventive measures to detect and mitigate phishing threats. This includes training end users on internet threats and using the best AV tools to detect threats timely.
RELATED ARTICLES
- FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
- New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
- Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware
- Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining